The invention relates generally to the field of systems and methods for intercepting communications and more particularly to systems and methods for facilitating packet authentication.
Wiretapping, including interception and recording of communications, can be quite useful in investigations by governmental agencies such as law enforcement, as well as and private investigative agencies. Although originally developed to intercept analog telephonic communications, more recently agencies have discovered that wiretapping can also be useful to intercept digital message packets transmitted by a computer or other packet source device, or received by another computer or other packet destination device, over, for example, a digital data network such as the Internet, World Wide Web.
A problem arises in connection with wiretapping of digital message packets which does not arise as readily in connection with wiretapping of analog communications. With wiretapping of analog communications, it is very difficult to tamper with a recording in an undetectable manner. That is, if someone tampers with a recording of analog communications, at least some tampering is likely to be detected, which can, in turn, put into question the veracity of all of the recordings developed during a wiretap. On the other hand, with digital data, the data can be easily tampered with, and the tampering is difficult to detect. The message packets can be encrypted using, for example, a public encryption key/private decryption key mechanism. In such an arrangement, the recording device which performs the wiretap can, after receiving a message packet, encrypt the message packet using the public encryption key. The private decryption key which can decrypt the encrypted message packets is only available to, for example, people who will be making use of the message packets, as evidence in, for example, a trial in court. If the encrypted message packet is tampered with, the tampering is likely to be relatively easily detectable. It is unlikely that an encrypted message packet that has been tampered with would decrypt to a comprehensible message. In addition, if, as is common, the message packet originally had an error detection code, when a tampered-with encrypted message packet is decrypted, it is highly likely that the error correction code would indicate that the message packet, after decryption, is erroneous.
While the message packets can be encrypted and decrypted as described above to preserve the integrity of message packets recorded during wiretapping, several problems arise. First, encryption of a message packet can require relatively significant amount of time. Accordingly, if the rate at which message packets are being received becomes relatively high, the encryption apparatus can easily become overwhelmed. In addition, although the order in which message packets are received by the wiretap apparatus can be important, the encryption of the separate message packets will not assist in verifying the order in which they are received. A time stamp can be applied to each message packet reflecting the time at which the message packet is received, either before or after encryption, but the time stamps can be applied in an erroneous manner.
The invention provides a new and improved packet interception system for intercepting packets transmitted from, for example, a particular packet source or to a particular packet destination, the packet interception system including an arrangement for facilitating authentication of intercepted packets.
In brief summary, the invention in one aspect provides a packet interception system for intercepting message packets transmitted from a packet source or to a packet destination, for processing them in such a manner as to facilitate verification of the contents and the sequence with which the message packets are intercepted, and for storing the processed message packets for later use. The packet interception system generates for each intercepted message packets respective hash values, using any convenient hash algorithm, based on the respective intercepted message packet and the hash value generated for the previously-intercepted message packet, or, for the first intercepted message packet, a value that is provided to identify the session.
To verify a previously-stored intercepted message packet, the packet interception system, or another device, using the same hash algorithm, can process the sequence of stored intercepted message packets up to and including the intercepted message packet to be verified, to and compare the hash value generated to the previously-generated hash value for each of the message packets. If the sequence of hash values so generated corresponds to the previously-stored sequence, both the integrity and the sequence of message packets is verified.
In addition to the hash values, the packet interception system can, for selected ones of the intercepted message packets, generate digital signatures using any convenient encryption algorithm. In one embodiment, the encryption algorithm is selected to be a public verification key/private signature key algorithm. The private signing key is provided only to the packet interception system to facilitate digital signing of the intercepted message packets. The public verification key is provided to the packet verification system or other instrumentality that is to verify and use the intercepted packets. Since only the public verification key is available to the packet verification system, the digital signature can be verified thereby but not forged.
Since the packet interception system makes use of a hash algorithm to generate a hash value, instead of an encryption algorithm to generate encrypted message packets or a digital signature for each message packet, it will readily able to process message packets as they are intercepted in generally real time.
In another aspect, the invention provides an intercept system monitor that monitors status and establish predetermined conditions in said packet intercept system 10 over a wireless link.